Hi, On Tue, Apr 26, 2022 at 9:15 PM Victoria Fierce via FreeIPA-users < [email protected]> wrote:
> Howdy. > > I've been a long-time user of freeipa and have had a small instance > running at home via fedora packages for the past 5 years or so. Its > actually hard to know just how long I've had it running, but that's besides > the point; for what feels like ages I've never had to really mess with it > and it kept on ticking. Until recently. > > I'm no longer able to use the ipa command line tool or the webui. The > webui correctly rejects any invalid passwords with an invalid password > message, but any /correct/ credentials simply says "Your session has > expired. Please log in again.". All of my clients are using the same NTP > server as the server, nothing it out of sync, and caches have been cleared > multiple times. I know this isn't a browser issue, because of the next > point: > > I can't use the ipa command on my server anymore. Here's a brief sample of > one such attempt: > > [root@io kdc]# kinit admin > Password for [email protected]: > [root@io kdc]# ipa -d > ipa: DEBUG: Loading Index file from > '/var/lib/ipa-client/sysrestore/sysrestore.index' > ipa: DEBUG: Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > ipa: DEBUG: Loading StateFile from > '/var/lib/ipa-client/sysrestore/sysrestore.state' > ipa: DEBUG: failed to find session_cookie in persistent storage for > principal '[email protected]' > ipa: DEBUG: trying https://io.malloc.hackerbots.net/ipa/json > ipa: DEBUG: Created connection context.rpcclient_139701656917472 > ipa: DEBUG: [try 1]: Forwarding 'schema' to json server ' > https://io.malloc.hackerbots.net/ipa/json' > ipa: DEBUG: New HTTP connection (io.malloc.hackerbots.net) > ipa: DEBUG: received Set-Cookie (<class > 'list'>)'['ipa_session=MagBearerToken=lflo9aPGmula4dSW7i8LbiI7ZNH%2bSycMGOGpqZiZkD0bydWnWfzv7bSuTIzsvdQGPas3BatwwBmREuVlVM0iT0%2by2tto74XdZXXYrv4MhOFT7q3vECladuGsQgqInfrIeLG4a8LMQ0CqE8exLdtttJtt%2fydt1lHzsbHCTigV7TS8CF%2bnZ7558549uo5rJtG%2f6YXG7p0zzhQ4hUYOPwjR%2byux%2bIQhK5PeVu3TKnofFZk%3d;path=/ipa;httponly;secure;']' > ipa: DEBUG: storing cookie > 'ipa_session=MagBearerToken=lflo9aPGmula4dSW7i8LbiI7ZNH%2bSycMGOGpqZiZkD0bydWnWfzv7bSuTIzsvdQGPas3BatwwBmREuVlVM0iT0%2by2tto74XdZXXYrv4MhOFT7q3vECladuGsQgqInfrIeLG4a8LMQ0CqE8exLdtttJtt%2fydt1lHzsbHCTigV7TS8CF%2bnZ7558549uo5rJtG%2f6YXG7p0zzhQ4hUYOPwjR%2byux%2bIQhK5PeVu3TKnofFZk%3d;' > for principal [email protected] > ipa: DEBUG: Destroyed connection context.rpcclient_139701656917472 > ipa: ERROR: Insufficient access: SASL(-1): generic failure: GSSAPI Error: > Unspecified GSS failure. Minor code may provide more information > (Credential cache is empty) > > Wish I could say how long its been like this or what I did to break it, > but again, its been running for so long that I've never really had to check > in on it! This is a Fedora 32 server that has gone through several distro > upgrades over the years and through each one, freeipa kept running without > issue. I'm certain that at some point in the last year I've upgraded a > package that broke this, but there is no way to check. Kerberos continues > to work fine; I can login to other services and change passwords and > whatnot. ldapsearch returns results and I can bind to it, and other > services that utilize ldap for authentication still work great. Except for, > of course, the freeipa web app. It looks like freeipa hasn't seen a new > release in quite some time, so I'm prepared to do a bunch of debugging > myself if anyone could point me in the right directions. > > Additionally, here's the apache error_log with debug=true in > /etc/ipa/server.conf: > > [Mon Apr 18 10:57:31.776194 2022] [ssl:info] [pid 1989623:tid 1989819] > [client 127.0.0.1:42826] AH01964: Connection to child 8 established > (server io.malloc.hackerbots.net:443) > [Mon Apr 18 10:57:31.776376 2022] [ssl:debug] [pid 1989623:tid 1989819] > ssl_engine_kernel.c(2374): [client 127.0.0.1:42826] AH02043: SSL virtual > host for servername io.malloc.hackerbots.net found > [Mon Apr 18 10:57:31.779851 2022] [ssl:debug] [pid 1989623:tid 1989819] > ssl_engine_kernel.c(2254): [client 127.0.0.1:42826] AH02041: Protocol: > TLSv1.3, Cipher: TLS_AES_256_GCM_SHA384 (256/256 bits) > [Mon Apr 18 10:57:31.779966 2022] [socache_shmcb:debug] [pid 1989623:tid > 1989819] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0x4a -> > subcache 10) > [Mon Apr 18 10:57:31.779974 2022] [socache_shmcb:debug] [pid 1989623:tid > 1989819] mod_socache_shmcb.c(847): AH00847: insert happened at idx=2, > data=(378:410) > [Mon Apr 18 10:57:31.779977 2022] [socache_shmcb:debug] [pid 1989623:tid > 1989819] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: > idx_pos/idx_used=0/3, data_pos/data_used=0/595 > [Mon Apr 18 10:57:31.779981 2022] [socache_shmcb:debug] [pid 1989623:tid > 1989819] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store > successfully > [Mon Apr 18 10:57:31.780083 2022] [socache_shmcb:debug] [pid 1989623:tid > 1989819] mod_socache_shmcb.c(493): AH00831: socache_shmcb_store (0xde -> > subcache 30) > [Mon Apr 18 10:57:31.780088 2022] [socache_shmcb:debug] [pid 1989623:tid > 1989819] mod_socache_shmcb.c(847): AH00847: insert happened at idx=1, > data=(217:249) > [Mon Apr 18 10:57:31.780091 2022] [socache_shmcb:debug] [pid 1989623:tid > 1989819] mod_socache_shmcb.c(850): AH00848: finished insert, subcache: > idx_pos/idx_used=0/2, data_pos/data_used=0/434 > [Mon Apr 18 10:57:31.780094 2022] [socache_shmcb:debug] [pid 1989623:tid > 1989819] mod_socache_shmcb.c(515): AH00834: leaving socache_shmcb_store > successfully > [Mon Apr 18 10:57:31.780181 2022] [ssl:debug] [pid 1989623:tid 1989819] > ssl_engine_kernel.c(415): [client 127.0.0.1:42826] AH02034: Initial > (No.1) HTTPS request received for child 8 (server > io.malloc.hackerbots.net:443), referer: > https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780373 2022] [authz_core:debug] [pid 1989623:tid > 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: > authorization result of Require valid-user : denied (no authenticated user > yet), referer: https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780384 2022] [authz_core:debug] [pid 1989623:tid > 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: > authorization result of <RequireAny>: denied (no authenticated user yet), > referer: https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780395 2022] [auth_gssapi:debug] [pid 1989623:tid > 1989819] mod_auth_gssapi.c(893): [client 127.0.0.1:42826] URI: > /ipa/session/json, no main, no prev, referer: > https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780450 2022] [auth_gssapi:debug] [pid 1989623:tid > 1989819] mod_auth_gssapi.c(983): [client 127.0.0.1:42826] Already > established context found!, referer: > https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780482 2022] [authz_core:debug] [pid 1989623:tid > 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: > authorization result of Require valid-user : granted, referer: > https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780486 2022] [authz_core:debug] [pid 1989623:tid > 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: > authorization result of <RequireAny>: granted, referer: > https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780544 2022] [lookup_identity:debug] [pid 1989623:tid > 1989819] mod_lookup_identity.c(445): [client 127.0.0.1:42826] invoked for > user [email protected], referer: > https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780635 2022] [authz_core:debug] [pid 1989623:tid > 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: > authorization result of Require all granted: granted, referer: > https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780641 2022] [authz_core:debug] [pid 1989623:tid > 1989819] mod_authz_core.c(815): [client 127.0.0.1:42826] AH01626: > authorization result of <RequireAny>: granted, referer: > https://io.malloc.hackerbots.net/ipa/xml > [Mon Apr 18 10:57:31.780648 2022] [auth_gssapi:debug] [pid 1989623:tid > 1989819] mod_auth_gssapi.c(726): [client 127.0.0.1:42826] > GSSapiImpersonate not On, skipping impersonation., referer: > https://io.malloc.hackerbots.net/ipa/xml " GSSapiImpersonate not On" looks suspicious to me. Can you check if /etc/httpd/conf.d/ipa.conf contains "GssapiImpersonate On" in the sections <Location "/ipa"> and <Location "/ipa/session/login_x509"> ? flo > > [Mon Apr 18 10:57:31.781246 2022] [wsgi:error] [pid 1989622:tid 1989934] > [remote 127.0.0.1:42826] ipa: DEBUG: WSGI wsgi_dispatch.__call__: > [Mon Apr 18 10:57:31.781331 2022] [wsgi:error] [pid 1989622:tid 1989934] > [remote 127.0.0.1:42826] ipa: DEBUG: WSGI jsonserver_session.__call__: > [Mon Apr 18 10:57:31.836341 2022] [wsgi:error] [pid 1989622:tid 1989934] > [remote 127.0.0.1:42826] ipa: INFO: 401 Unauthorized: Insufficient > access: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure. > Minor code may provide more information (Credential cache is empty) > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
